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= Driver Assistance: - 
e Help human drivers be better & safer 
= Driver Automation: é 
e Vehicle actually drives 


TA Sz at 
\ \ ’ \ \ \ ¥ vA 
cA aa ek, ek Ek 


RRR 
(oe i © 
' 1 v3 
ao 
_ 


= Compare & contrast 
e Safety argument implications 
e Technology challenges 


\ yee. 


aN 


y 





fe a 
<o Seg e 
Co) 


‘ i —~ > a : ‘ 
“hittAsy//on. gg ee Taiic 


= Start with: 
e Automation modes for non-engineers 
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Assistive: Help the Driver Drive aa 


= Better execute driver commands 
e Anti-lock brakes 
e Electronic stability control 


= Momentarily intervene for safety 
e Automated emergency braking 
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= The driver is responsible for safety 
e The vehicle obeys driver intent 
e Interventions to improve driver performance 
e Functional safety covers equipment failures (ISO 26262) 
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Supervised: Driver Monitors for Safety = fi” 
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= Vehicle (mostly) does the driving — 
e Speed control & lane keeping ~ 






= Human driver responsible for safetyim , 
e Intervene to handle edge cases y 


= Driver monitors and intervenes 
e Vehicle must let driver intervene when needed (ISO 26262) 
e Effective driver monitoring required for automation complacency 
e Safety Of The Intended Function (SOTIF) (ISO 21448) helpful 
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ADAS Safety — Helping the Driver Mellon 
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= Proper functionality helps driver 
e Reduce driver stress, control mistakes 


e Helps avoid crashes — Q s- 
e Tune to avoid false activations 
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= Arguably, good enough active safety 
e ADAS claims credit for safety; human blamed for crashes 

e BUT: avoid unreasonable demands on human drivers 
— Unaided humans are terrible at monitoring boring automation 
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; Automated: The Car Drives Niello 
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= Vehicle drives & handles safety 
e Driver need not pay attention to driving 
e Driving problems not dumped onto driver 





= The vehicle responsible for driving safety 
e By definition: 
collisions are not fault of a human driver 


=m Tension between safety and permissiveness 
e False non-detections (false negatives) generally hurt safety 
e False detections (false positives) generally hurt permissiveness 
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Autonomous: No Human Oversight es 
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= Vehicle handles driving & vehicle safety 
e There is no driver; no human supervision 
e Ensures passenger & cargo safety 
e Handles non-driving issues (e.g., post-crash) 





= The vehicle is responsible safe operation 
e Human does not help with safety 
e OK for vehicle to get help if it initiates request all on its own 


= Adds requirement for non-driving sensing (UL 4600) 
e Passenger safety; cargo safety; vehicle equipment status 
e Beyond scope of Automated Driving System Levels in J3016 
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= Assistive & Supervised 
e Driver attention required 
e Vehicle responds to driver 
e Vehicle blame for unsafe intervention 
— Incentive for vehicle to under-perform 


Vehicle Automation Modes 





= Automated & Autonomous - 
e No human attention on driving 


— Vehicle cannot count on human intervention for driving safety 
Mode changes are requests, not demands by vehicle 
— Human actively confirms responsibility 
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Driver Mode Transitions Civersty 





= Mode confusion is a problem 

e Driver positive acknowledgment 

e Request user attention, not “demand” 
= Example issues: 

e Supervised changes to Assistive 
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— Driver thinks vehicle is still steering ntps//itly/3rdhKE 


e Automated changes to Supervised 
— Driver takes extended time to regain situational awareness 
— “Captain of ship” does not have a full driving license 

e Autonomous changes to Automated 


—- Attendant rouses then falls back asleep (sleeps through alarm) 
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Automation Safety Challenges Fa 
= Assistive 
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e More uniform adoption of ISO 26262 
= Supervised 

e Safety credit if low false positives 

e Effective driver monitoring 
= Automated 

e SOTIF, scenario completeness & coverage ADAS GETS 
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e Sensor fusion, perception, prediction 

e Blamed for false negatives 
= Autonomous 

e UL 4600 coverage: drivers do more than drive © 2021 Philip Koopman 11 
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Component Safety Challenges Malla 


= Positive Trust Balance: a 
e Engineering Rigor, Validation, Feedback, Safety Culture 4 ge 
e Standards-driven safety | 


= Safety Performance Indicators (SPIs) 
e Integrators asking for component safety cases 
e Field feedback: development; deployed 


= Scalability past pilot vehicles 
e Accurate perception/prediction is still work in progress = 
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e Transition from brute force data to safety case eee ee 
e Key point: avoiding multi-sensor correlated failures 
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Organizational Safety Challenges os 


_ University 


= Significant pressure to deploy 
e Flurry of empty driver seat demos in 2020 
e Can teams take the time needed for safety? 


= Industry transparency needed 
e Safety collaboration rather than competition 
e Public trust in face of an adverse news event 





= Ensuring robust safety cultures Yarden daege wpe hho Mig Zoe 
e Robotics meets automotive engineering 
e Silicon Valley culture + automotive culture + no human driver 
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